Update planning docs to reflect current implementation state

- Doc 02: Add member_identifier table, member_number, primary_member_id,
  account_number auto-generation, isMinor override, tax_exemption as
  separate table, member move, updated business rules
- Doc 03: Document lookup table pattern replacing pgEnums for status and
  condition, add system/custom value distinction
- Doc 22: Mark all Phase 2 items as complete, add new tables to additions
  section, update audit findings, note admin frontend exists

planning/22_Audit_Phase2_Review.md

@@ -17,15 +17,19 @@ All deliverables built: monorepo config, Docker Compose (Postgres 16 + Valkey 8)
 Area | Status | Notes
 Auth (JWT + bcrypt) | Complete | Self-issued JWTs, role enum, register/login routes
 User table | Complete | company_id FK, unique email, 5 roles
-Account table | Complete | Added is_active (not in spec — good defensive addition)
-Member table | Complete | Added updated_at (not in spec — good practice)
+Account table | Complete | Added is_active, primary_member_id, auto-generated account_number
+Member table | Complete | Added updated_at, member_number, isMinor manual override
+Member identifiers | Complete | DL/passport/school ID with front/back image storage
 Account processor link | Complete | Processor-agnostic payment linking
-Account payment method | NOT BUILT | Specified in doc 02 but not implemented
+Account payment method | Complete | Card references with default flag, requires_update for migrations
+Tax exemptions | Complete | Separate table with approve/revoke workflow and audit trail
 Category table | Complete | Added parent_id for hierarchy, sort_order, is_active
 Supplier table | Complete | All columns present
 Product table | Complete | Cost removed — moved to stock_receipt (FIFO)
-Inventory unit table | Complete | Condition enum, status enum, serial number
-Shared Zod schemas | Complete | Auth, account, member, inventory schemas
+Inventory unit table | Complete | Condition and status via lookup tables (not enums), serial number
+Lookup tables | Complete | inventory_unit_status and item_condition as company-scoped configurable tables
+Shared Zod schemas | Complete | Auth, account, member, identifier, payment method, tax exemption, lookup, inventory schemas
+Admin frontend | Complete | React + Vite + shadcn/ui, accounts CRUD, members list, theme system
 
 ## 1.3 Additions Not in Original Planning
 
@@ -34,6 +38,11 @@ stock_receipt | FIFO cost tracking per purchase event | Replaces product.cost co
 price_history | Logs every retail price change | Auto-logged on product update
 consignment_detail | Consignment product linking | Links product to consignor account with commission %
 product_supplier | Many-to-many product ↔ supplier | Tracks supplier SKU and preferred supplier
+inventory_unit_status | Lookup table replacing pgEnum | Company-scoped, is_system flag, custom values allowed
+item_condition | Lookup table replacing pgEnum | Same pattern as unit status
+member_identifier | Identity documents per member | DL, passport, school ID with base64 image storage
+tax_exemption | Tax exempt certificates per account | Approve/revoke workflow with audit trail
+account_payment_method | Card references per account | Processor-agnostic, default flag, migration support
 
 ## 1.4 Planning Doc Inconsistencies
 
@@ -56,8 +65,8 @@ Dev auth had no production guard | HIGH | Dev auth plugin throws error if NODE_E
 ## 2.2 Issues Found — Not Yet Fixed (Lower Priority)
 
 Issue | Severity | Notes
-CORS in production is false | Medium | Blocks all cross-origin requests. Needs origin whitelist via CORS_ORIGINS env var. Fix when building frontend.
-No pagination on list endpoints | Medium | list() returns .limit(100) with no offset. Add cursor/offset pagination when data volumes grow.
+CORS in production is false | Medium | Blocks all cross-origin requests. Needs origin whitelist via CORS_ORIGINS env var. Admin frontend uses Vite proxy in dev — CORS not needed yet.
+~~No pagination on list endpoints~~ | ~~Medium~~ | FIXED — All list endpoints now support server-side pagination, search, and sort.
 Path parameters not validated as UUIDs | Low | Cast with `as { id: string }` but not validated. Drizzle handles gracefully (returns null). Add Zod param validation later.
 Login schema accepts min(1) password | Low | Should match register's min(8) for consistency. Not a real security risk since bcrypt compare handles it.
 No JWT secret strength validation | Low | Only checks if set, not length/entropy. Add min 32 char check.